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DISCLAIMER: This product is provided "as is" for informational purposes only. The Department of Health and Human Services (HHS) does not provide any 
warranties of any kind regarding any information contained within. The HHS does not endorse any commercial product or service referenced in this product or 
otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. Sources may use TLP: GREEN when 
information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP: 
GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. REF: https://www.us- 
cert.gov/tlp 


The Department of Homeland Security National Cybersecurity and Communications Integration Center (NCCIC) has 
notified the Department of Health and Human Services (HHS) of an increase in ransomware incidents at some healthcare 
organizations in the U.S. This Bulletin provides Healthcare and Public Health (HPH) Partners with information regarding 
ransomware, mitigation strategies, as well as additional materials to reference located within the HSIN HPH Cyber Threat 
Library. 

Information in this bulletin was developed in coordination with and for the benefit of the HPH Sector Critical Infrastructure 
Protection (CIP) Partnership. The HPH CIP Partnership operates under the National Infrastructure Protection Plan and is 
coordinated within HHS by the Office of the Assistant Secretary for Preparedness and Response. The partnership is 
dedicated to joint public and private sector efforts to protect the HPH Sector from all hazards through information sharing 
and collaborative risk management. 

This bulletin is specific to the Locky variant of ransomware. Additional details of the Locky variant, and other variants, are 
available in a number of creditable products posted to the HSIN HPH Cyber Threat Library, the US-CERT Portal, and US- 
CERT Open Internet Website. If your organization, hospital, or facility experiences a similar cyber attack, please contact 
law enforcement immediately. You may also be able to find assistance from the DHS National Cybersecurity and 
Communications Integration Center (NCCIC) or an Information Sharing and Analysis Organization (ISAO) such as NH- 
ISAC or HITRUST. If you have any questions about which resources may be available to you or how to connect with 
them, please contact us at cip(a)hhs.qov . 

Creditable Sources on Ransomware 

• FBI FLASH MC-000068-MW 

• US-CERT Alert (TA16-091 A) Ransomware and Recent Variants 

• FBI FLASH MC-000070-MW 

• Samas.AJOCJJst 

• HPH-HSIN Bulletin on Ransomware 03312016 

Threat Details - Locky Ransomware variant 

There is recent open source reporting that ties Locky Ransomware to the Dridex infrastructure. The malware seems to be 
most commonly delivered through mass phishing emails with malicious attachments. New discoveries suggest that recent 
Locky ransomware campaigns are using multiple types of attachments as the delivery mechanism. Unlike previous 
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variants, some of these instances no longer depend on the user enabling document macros to begin the encryption 
process. 

Similarly, once the user opens the attachment, Locky attempts to download the encryption payload, looks for file 
extensions on the hard drive, and encrypts them. The token ‘Ransom note image’ is displayed with this message to the 
user: “All of your files are encrypted with RSA-2048 and AES-128 ciphers. Decrypting of your files is only possible with the 
private key and decrypt program, which is on our secret server”. 

Below provides a list of recently discovered attachments along with their functionality: 

• JavaScript files that download and execute a malicious binary which performs the encryption. 

• .zip files which contain the malicious JavaScript files. 

• Microsoft Word documents that contain macros that automatically create and execute a malicious .vbs file. This 
.vbs file then downloads and executes a malicious binary which performs the encryption. 

Indicators of Compromise (IOC) 

The hash values, associated domains, and internet protocol addresses appear to be constantly changing and are 
therefore not reliable. 

Mitigation 

Guidance at this point mirrors the mitigation advice for most ransomware: 

• If lOCs are determined for a particular attack, monitor for other systems communicating with those lOCs. While 
lOCs change between attacks, observations indicate that individual emails associated with an attack share 
indicators. 

• Monitor for unexpected emails containing .doc, .js, and .zip files. 

• Monitor for the creation of malicious .js and .vbs files on file systems, particularly in users’ Application Data and 
Temp folders. 

• Patch applications to ensure antivirus, OS, and third party software products are up-to-date. 

• Do not open suspicious attachments or follow suspicious links. 

• Perform regular backups that are stored on non-network connected machines. 
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